Cloud 101
Circle
Events
Blog

What Are the DoD Cloud Computing Security Assessment Requirements?

What Are the DoD Cloud Computing Security Assessment Requirements?

Blog Article Published: 01/26/2023

Originally published by Schellman.

Written by Jon Coffelt, Schellman.

When you compare the two tallest mountains in the world—K2 and Everest—some of the facts might surprise you. For instance, did you know that K2’s climbing route is more technical than that of the tallest mountain in the world?

In fact, in terms of the journey from foot to peak, the K2 summit is actually farther than Mount Everest. That’s why roughly only 300 people have climbed it, compared to approximately four thousand summits on Everest.

To put this in federal compliance terms, if FedRAMP is the prominent Everest, then Department of Defense (DoD) requirements are K2.

Everybody knows FedRAMP by this point, but when preparing an initial cloud service offering (CSO) for use by the DoD, you must implement controls above and beyond those baselines, including NIST SP 800-53 controls, Non-NIST based DoD requirements, and DoD General Readiness requirements. Not only that but your DoD Mission Owner (MO)—or your DoD sponsor entity—may select DoD Service Level Agreement (SLAs) and Privacy Overlay controls (NIST 800-53-based) as well DoD agency requirements or data classifications/usage applicable to your CSO.

So what does it take to “summit” what can be incredibly complex DoD requirements? As a seasoned 3PAO, we’re going to pass some insight on to you.

In this article, we’ll break down the different DoD Assessment requirements as laid out by the Defense Information Systems Agency (DISA), along with the necessary deliverables needed for review and what must happen after the initial package gets approved or if any changes are made.

Read on to understand how this all works so you can better simplify what are incredibly complex compliance requirements.

A Breakdown of Required DoD Compliance Controls

In-Scope DoD NIST SP 800-53 Controls by Impact Level

DoD requires a FedRAMP System Security Plan (SSP) and DoD SSP Addendum for all Impact Levels (IL4-IL6) CSO packages. This addendum is structured similarly to the FedRAMP SSP—it covers the descriptions of security control implementations for DoD-impacted controls (IL4, IL5, IL6 controls):

IL2

Moderate: 325

IL4

Moderate: 363

High: 421

IL5

Moderate: 372

High: 430

IL6

Moderate: 372*

High: 430*

*Control CA-3(1) is not applicable at impact level 6. Moderate and High IL6 adds SC-7(14).

NOTE: DoD adds several control parameter changes to FedRAMP control baselines.

For details of controls in the above table, see Table 5-1 DoD FedRAMP+ Security Controls/Enhancements in the SRG v1r4.

NIST SP 800-53 DoD Service Level Agreement (SLAs) and Privacy Overlay Controls

The DoD SSP Addendum is also used to document control implementations for DoD Mission Owner Service Level Agreements (SLAs) and Privacy Overlay controls if in scope.

To confirm whether these are required as part of your baseline and need to be assessed, check with your DoD Mission Owner and DISA. If they are, see sections table D-2 and Appendix E, respectively, within the DoD SRG v1r4 for details.

Non-NIST-Based DoD Requirements

Here’s a high-level (i.e., not exhaustive) summary of what those address:

  • Supply Chain Risk Management Plan (SCRM Plan), including anti-counterfeit plan.
  • Multi-factor authentication with virtual/soft tokens (IL2 and IL4) or physical/hard tokens (IL5 – IL6) is required.
  • Physical separation of IL5 tenant data from non-federal tenant data. Logical separation must exist between the federal agency and DoD tenants for IL2 and IL4.
  • System components must be hardened using DISA STIGs, when available.
DoD General Readiness Requirements

The DoD SSP Addendum also covers DoD General Readiness requirements, which are outlined in section 11.1 DoD General Readiness Requirements (GR):

GR-# Question Requirements
GR-1 DoD PKI Authentication
  • Enforce DoD PKI (in accordance with DoDI 8520.03) for the authentication of both privileged and non-privileged users.
  • Enable DoD PK for customer orders/service management portals for all service offerings
  • SaaS providers must be DoD PK-enabled for general DoD user access.
GR-2 DoD IP addressing
  • Describe your plan for implementation and support of DoD IP addressing.
GR-3 Data Locations
  • Provide a list of the physical locations where your data could be stored at any given time and how it is ensured that the data remains under U.S. jurisdiction at all times.
GR-4 Management Plane Connectivity
  • Explain how your CSO management/monitoring systems are integrated with your corporate or general network.
GR-5 CSO Personnel
  • Confirm your position sensitivity risk determinations based on OPM guidance and the Position Sensitivity Tool.
  • Restrict potential access to DoD information to U.S. citizens.
  • Verify that all CSO roles with access to DoD CUI that are categorized as critically sensitive have been subject to a satisfactory Single Scope Background Investigation or other background investigation for high risk.
  • Verify that the other CSO roles with moderate risk position designations and access to non-critical sensitive information have been subject to a satisfactory moderate risk background investigation or a National Agency Check with Law and Credit.
GR-6 Private Connection Availability Between CSP’S/CSO’s Network and DoD Network
  • Explain how you will obtain a private connection capability between the off-premises network and DoD networks in support of connections through the boundary cloud access point (BCAP) and meet-me points.
GR-7 Reliance on Internet-Based Capabilities
  • Describe the CSO or user experience reliance on internet-based capabilities such as the public DNS or content delivery networks.
  • Detail how such capabilities are available via the CSO infrastructure and the connections to it via the DISA BCAPs.
GR-8 Reliance of Internet Access
  • Explain the reliance on internet access to reach your management/service-ordering portal or API endpoints from either NIPRNet or from within the CSO.
  • Detail how all such capabilities are available via the CSO infrastructure and the connections to it via the DISA BCAPs.
GR-9 CSP/CSO's Protection
  • Describe the protections in place in your network and CSO to prevent the CSO from becoming a backdoor to the NIPRNet via the private connection through the BCAP.
GR-10 Defense in Depth Architecture
  • Explain your required robust boundary protection (defense-in-depth security/protective measures) implemented between the internet and the CSO.

DoD Security Assessment Deliverables

Testing of what’s applicable above all rolls up into your 3PAO-developed DoD assessment package, which includes the following required deliverables to be submitted to DISA:

  • Security Assessment Plan Package (SAP):
    • Includes control testing approach, methodology, testing scope, and penetration testing plan and/or rules of behavior.
  • Security Assessment Report Package (SAR):
    • Includes control testing results (FedRAMP controls, aforementioned DoD IL controls and parameters, SLAs, Privacy, and GR requirements), penetration testing report, data used for the assessment (e.g., raw scan output), and a Risk Exposure Table (RET).

DISA also requires a DoD Readiness Assessment Report (RAR) to be submitted for review as part of your initial assessment. As a summary of your security control capabilities, this is used for DoD’s easier digestion of your security assessment results as a whole.

Continuous Monitoring (Ongoing Assessment) Phase

Once the package has been reviewed and approved, your CSO obtains a DISA Provisional Authorization (PA) and MO ATO, after which you enter the continuous monitoring (annual assessment) phase.

Requirements for this recurring, annual assessment are reduced and typically include:

  • Core FedRAMP controls (with DoD parameters)
  • About one-third of discretionary controls (one-third of the total control baseline minus core controls):
    • Testing one-third of discretionary controls occurs in a rolling fashion (SLAs, Privacy included) so that all discretionary controls are tested by the end of the third annual assessment year.
  • All Non-NIST based requirements must be maintained.
  • DoD General Readiness Requirements are tested again during the third annual assessment.
    • Note: Some DoD MOs do not require this retesting of GRs at all, while some may want them retested on an annual basis.

Your annual assessments should occur before the DISA Provisional Authorization (PA) and MO ATO expiration date—talk to your MO for guidance to ensure your latest SAR will be delivered before due.

NOTE: A RAR is not a requirement for annual continuous monitoring (ongoing assessment).

DoD Requirements for Significant Changes

Of course, information systems aren’t static and you’ll probably introduce updates at some point—including after obtaining ATO. But like FedRAMP, DISA requires full planning, documentation, visibility and awareness, and security testing regarding changes deemed to affect your security posture or alter security control implementation.

A.K.A. “significant changes,” these are defined as the following:

“a change that is likely to affect the security state of an information system.” Examples are provided as follows: “Significant changes to an information system may include for example: (i) installation of a new or upgraded operating system, middleware component, or application; (ii) modifications to system ports, protocols, or services; (iii) installation of a new or upgraded hardware platform; (iv) modifications to cryptographic modules or services; or (v) modifications to security controls. Examples of significant changes to the environment of operation may include for example: (i) moving to a new facility; (ii) adding new core missions or business functions; (iii) acquiring specific and credible threat information that the organization is being targeted by a threat source; or (iv) establishing new/modified laws, directives, policies, or regulations.”

Talk to your FedRAMP/DoD advisor, DISA representative, and DoD MO to determine if your proposed change fits into this category and if so, here’s what has to happen:

  • You must complete a Security Impact Analysis (SIA) for DISA before implementing the change (typically before the change is assessed as well).
    • The SIA form can be found on the NIPRNet—ask your DISA representative or DoD MO for the location
  • You must give a 30-day notice before implementing significant changes so DISA has time to review the change and align the SIA.
    • DISA can revoke the DoD PA if proper notice is not given or if a change is implemented without authorization.
  • Specific policy guidance for significant changes can be found within the SRG Section 5.3.2 Change Control.

When submitting your Significant Change SIA, here’s a simple breakdown of where to send yours:

Submit to FedRAMP JAB if you are a:

Submit to DISA and DoD MO if you are a:

  • FedRAMP JAB P-ATO CSPs
  • FedRAMP Agency ATO CSP
  • Non-FedRAMP CSPs with DoD PA or ATO

No matter where you submit the form, DISA and/or the DoD MO will ultimately have a chance to review and approve all significant changes.

Next Steps for DoD Compliance

Like climbing K2, obtaining a DoD PA or ATO is possible despite the complications and requisite intensity. But with this “base camp” of information, you can move forward with DoD compliance using your new understanding of key details.

To learn more about federal compliance, check out our other articles delve into the various complexities:

Share this content on your favorite social network today!

Sign up to receive CSA's latest blogs

This list receives 1-2 emails a month.